The following revisions are made to the April 15, 2008, issuance of the HHS-OCIO-2008-0001.002, HHS-OCIO Policy for Responding to Breaches of Personally Identifiable Information (PII):

1. Section 5.3.2 is changed to preface the Computer Security Incident Response Center (CSIRC) with Department of Health and Human Services (HHS) to reduce confusion with any Federal or Operating Division (OPDIV) CSIRC efforts. Furthermore, the sentence is changed to include the HHS-CSIRC email: “As directed by the HHS CISO, notify the HHS Computer Security Incident Response Center (CSIRC) at csirc@hhs.gov within one hour of learning about a suspected or confirmed PII data breach.”

2. Throughout the document, minor grammatical changes are made to improve clarity.

This policy established the Department of Health and Human Services (HHS) PII Breach Response Team (BRT) (henceforth called the “HHS BRT”). It also established the actions taken to identify, manage, and respond to suspected or confirmed breaches of PII.

This policy is issued under the authority of the HHS-OCIO-2007-0002, Policy for Department-wide Information Security, dated September 25, 2007, and supersedes the April 15, 2008, issuance of the HHS-OCIO-2008-0001.002, HHS-OCIO Policy for Responding to Breaches of Personally Identifiable Information (PII).

HHS is responsible for managing the information it stores, processes, and transmits in support of its business functions in accordance with federal laws and regulations. The Department is also responsible for the security of the information that the public has entrusted to it, including PII, that can be used to distinguish or trace an individual’s identity such as a name or social security number (SSN). HHS must, therefore, mitigate the risks associated with the inadvertent loss or unapproved disclosure of PII.

Any unauthorized use, disclosure, or loss of such information can result in the loss of the public’s trust and confidence in the Department’s ability to properly protect it. Some information or data types, such as PII, require additional protection due to its sensitivity and the risks of misuse associated with a potential unauthorized disclosure. PII data breaches may have far-reaching implications for individuals whose PII is compromised, including identity theft resulting in financial loss and/or personal hardship experienced by the individual. A PII data breach may also require significant HHS staff, time, assets, and financial resources to mitigate the negative consequences, which may prevent the Department from allocating those resources elsewhere.

The HHS Policy for Responding to Breaches of PII ensures that responses to PII data breaches are consistent, comprehensive, complete, and delivered in an effective and timely manner in order to minimize the risk to the Department and individuals.

Department officials shall apply this policy to employees, contractor personnel, interns, and other non-government employees. All organizations collecting or maintaining information, or using or operating information systems on behalf of the Department, are also subject to the stipulations of this policy. The content of and compliance with this policy shall be incorporated into applicable contract language or memoranda of agreement under separate cover (e.g., Interim HHSAR FISMA policy). Agencies shall use this policy or may create a more restrictive OPDIV/STAFFDIV policy, but not one that is less restrictive, less comprehensive, or less compliant with this document.

HHS has established a BRT in compliance with two Office of Management and Budget (OMB) memoranda (M): Recommendations for Identity Theft Related Data Breach Notification, released on September 20, 2006; and M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, released on May 22, 2007. The HHS BRT is comprised of several of the Department’s senior leaders who engage in risk analysis to determine whether a potential or confirmed breach of PII poses problems related to identity theft and/or any applicable federal law or policy. If the HHS BRT determines that there has been a breach of PII, then the team must assess the risk level associated with the breach, and tailor the Department’s response accordingly. The HHS BRT will coordinate its response with the appropriate OPDIV/STAFFDIV breach analysis and incident response capabilities.

This policy defines the HHS roles and responsibilities for properly managing breaches of PII at all Department levels and is effective immediately upon release.

4.2.1 HHS shall develop and employ a risk-based approach to evaluate the appropriateness and effectiveness of PII breach response activities prior to providing any external notification, as detailed in the HHS BRT Standard Operating Procedures.

4.2.2 The HHS BRT shall identify which, if any, action(s) will be taken, as well as relay that information to the affected OPDIV/STAFFDIV.

4.2.3 The HHS BRT shall determine whether there is evidence of actual harm and, if so, shall assess whether the PII is at a low, moderate, or high risk of being compromised. The HHS BRT shall use the National Institute of Standards and Technology (NIST) security standards and guidance to make this assessment. (1)

4.2.4 The HHS Information Security and Privacy Program, the HHS BRT, and all responsible organizations—including employees and contractors—are required to provide notification as specified in the roles and responsibilities below.

4.3.1 The HHS BRT shall evaluate response activities to ensure that implementation is commensurate with the impact to the individual, the OPDIV/STAFFDIV, and the Department, and complies with applicable law(s).

4.3.2 HHS Information Security and Privacy Program shall ensure that suspected or confirmed breaches of PII on systems owned or operated by the Department, including those owned or operated by federal contractors or grantees on behalf of the Department, are identified, tracked, and responded to in an effective, consistent, and timely manner.

4.4.1 The HHS BRT shall ensure that notifications are made to the affected individuals, the HHS Records Officer, and third parties (e.g., media outlets and public and private sector agencies), as appropriate, regarding lost or compromised PII. The HHS BRT shall determine appropriate responses to Congressional inquiries resulting from such loss, as necessary

Responsible organizations within HHS include the OPDIVs and STAFFDIVs. Responsible organizations shall:

5.1.1 Report within one hour of discovery all suspected or confirmed PII data breaches in any format (i.e., electronic or paper) to the HHS Chief Information Security Officer (CISO) through the HHS Information Security and Privacy Program, and include the minimum information as determined by the HHS BRT Standard Operating Procedures. The HHS BRT Chair may request additional information as needed.

5.1.3 Ensure that OPDIV/STAFFDIV policies are consistent with the requirements set forth in this policy.

5.1.4 Ensure continuous coordination with the HHS BRT during mitigation of a suspected or confirmed breach.

5.1.5 Assign a point of contact (POC) to conduct coordination and communication activities between the business owner at the responsible organization, the OPDIV CISO (as appropriate), and the HHS BRT for all suspected or confirmed PII data breaches.

5.1.6 Evaluate each data breach to determine the likelihood of PII loss or compromise.

5.1.7 Perform a risk assessment of each suspected or confirmed PII data breach to include the following: (1) an evaluation of the impact; (2) planned response activities commensurate with the type of loss or compromise; and (3) the residual risk to HHS, the responsible organization(s), and to the individual(s).

5.1.8 Provide updates to the HHS Information Security and Privacy Program and the HHS BRT as additional information is discovered, including changes in status, impact, and risk.

5.1.9 Coordinate with the business owner(s) and the OPDIV CISO to develop a response plan for each suspected or confirmed PII data breach and provide this plan to the HHS BRT for review and approval. The minimum timeframe and requirements for the response plan are determined by the HHS BRT Chair with the consensus of HHS BRT members.

5.1.10 If the response plan calls for the notification of affected individuals, the HHS BRT will implement a plan to notify those individuals without unreasonable delay upon confirmation of a breach of PII.

5.1.11 Provide an after-action report, which contains information as determined by the HHS BRT Standard Operating Procedures, for the HHS BRT to review. The HHS BRT Chair may request additional information, as needed

All employees and contractors shall “report any suspected or actual computer incidents immediately to their help desk support, OPDIV Senior Information Systems Security Officer, or other designated personnel.” (2)

It is the responsibility of all employees and contractors to notify their supervisor or security officer immediately if a PII data breach is suspected or confirmed to have occurred. Additionally, all employees and contractors are required to take the general privacy awareness training, which highlights the importance of protecting PII, reviews privacy and security violations, and explains where to report such violations. (3)

The HHS BRT is composed of Department senior management and executive leadership. The members are responsible for directing and overseeing all HHS BRT activities. Details of the HHS BRT composition and member responsibilities are further defined in the HHS-2008-0001.001C (PII BRT Charter, dated April 14, 2008).

To fulfill its primary responsibilities, the HHS BRT shall perform the following activities:

5.4.1 Develop a charter to define the HHS BRT as a committee of the HHS Risk Management and Financial Oversight Board (RMFOB), identify executive leadership and senior management members, and define member responsibilities.

5.4.2 Appoint the HHS Chief Information Officer (CIO), who is also the designated HHS Senior Agency Official for Privacy (SAOP), as the HHS BRT Chair. (5)

5.4.3 Appoint an HHS BRT Coordinator as the liaison to the HHS Information Security and Privacy Program, the HHS BRT, and OPDIVs/STAFFDIVs to collect additional information once the initial notification is made to the HHS Information Security and Privacy Program.

5.4.9 Notify and consult with the proper government entities and convey the required information5.4.1 Develop a charter to define the HHS BRT as a committee of the HHS Risk Management and Financial Oversight Board (RMFOB), identify executive leadership and senior management members, and define member responsibilities. (6)

5.4.13 Provide notification and assessment of information breaches to RMFOB.

5.4.14 Prepare an annual report of all HHS BRT activities each calendar year and provide the report to the RMFOB, OPDIV/STAFFDIV heads, and OPDIV CIOs.

5.4.15 Ensure notification of lost or comprised PII is made to the affected individuals, the HHS Records Officer, and third parties (e.g., media outlets, public and private sector agencies), as appropriate.

All Department policies, standards, procedures and information security controls are posted on the following website: http://www.hhs.gov/ocio/policy/index.html. Direct questions, comments, suggestions, or requests for further information to the HHS Information Security and Privacy Program at (202) 205-9581.

The effective date of this policy is the date on which the policy is approved.

These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and with the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." HHS' policy is to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

Breach – The compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or loss of control of personally identifiable information (PII). Any similar term referring to situations in which unauthorized persons, or authorized persons with unauthorized privileges, gain access or potential access to either physical or electronic PII.

Personally Identifiable Information (PII) – Information within an IT system or online collection: (1) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.), or (2) by which an agency intends to identify specific individuals in conjunction with other data elements (i.e., indirect identification). (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.)

Risk – The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring.

Risk Assessment – The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system. Part of risk management and synonymous with risk analysis, risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by established or planned security controls.

NOTES:

(1) See OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, Attachment 3(B)(1)(a-e).

(5) Per OMB M-05-08, Designation of Senior Agency Officials for Privacy, HHS has designated the HHS CIO as the SAOP. Should this designation change, both the HHS CIO and SAOP must sit on HHS BRT, with the HHS CIO continuing to serve as HHS BRT Chair.

(6) See OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, Attachment 2(A)(1).